///////////////////////////////////////////////////////////////////
ANY MACHINES RUNNING THE SNMP SERVICE ARE THE TARGETS IN THE LABS HERE
//////////////////////////////////////////////////////////////////

The SNMP protocol is another protocol that is often overly verbose.

SNMP is often a misunderstood protocol by many network administrators. This often results in miscofigurations which can lead to a dramatic amount of information leakage at best.

*************************
SNMP is based on UDP a simple stateless protocol and is therefor susceptible to IP soofing and replay attacks. In addition the commonly used SNMP protocol 1,2 and 2c offer not traffic encryption so credentials can be easily intercepted across a local network.
*************************

Traditional SNMP protocols have weak authentication schemes and are commonly left misconfigured with default public and private community strings.

All of this exists in a protocol that is intended to Manage the network.

DISCOVER, ENUMERATE AND EXPLORE DURING THE INFORMATION GATHERING PHASE.

The database is organised as a tree where branches represent different organisations or different functions. The leaves of the tree or final endpoints usually correspond to specific values that can be assessed and probed by a external user.

Alternavitely, we can use a tool such as onesixtyone which will take this a step further and check for given community strings against an IP list. Essentially allowing us to bruteforce various community strings against given IPS.

To demonstrate the use of onesixtyone, we need a list of community strings:
#cat community
public
private
manager

We also have a list of ip addresses that we wish to run our SNMP scan against:

Once these SNMP services are found and known to respond to a specific community string, we can start querrying them for additional SNMP MIB data that might be interesting to us.

SNMP ENUMERATION: ACTIVE INFORMATION GATHERING: SNMPWalk

/////////////////////////////////////////////////////////////
ANY MACHINES RUNNING THE SNMP SERVICE ARE THE TARGETS IN THE LABS HERE /////
/////////////////////////////////////////////////////////////

We can probe and query SNMP service using tools such as SNMP walk providing that we know at least the SNMP read only community string which in most cases is the string 'public'.

Let's try some examples against a windows lab machine that is running the SNMP service.

We will start by using SNMPWalk to walk through the entire MIB tree of a windows SNMP service and display he values of each leaf in the tree.

-c = community string
-v = the version of SNMP to use

#snmpwalk -c public -v1 192.168.31.227

The output on this query will include a huge amount of information which at times will be hard to digest or even understand.
A better approach will be to only querry certain branches or values in this MIB tree. Thus getting more targeted information.

Using the MIB values in this file, I'll use SNMPWalk to extract very specific information about the windows machine.